Ethernet Switching
Ethernet Switching

Port Security IP address MAC binding

‎05-26-2019 05:52 AM

Hello,

I need to configure a port security (on EX2200)  in such a way to restrict the end-user to use a single dedicated port and  an IP-address which he has been given by Network Administrator.  We have multiple IP's some with limited access and others have full access or to other zones/servers. 

MAC address bind to IP and also bind to a particular Switch-port.

IS this possible without using DHCP?  

2 REPLIES 2
Ethernet Switching

Re: Port Security IP address MAC binding

[ Edited ]
‎05-26-2019 01:33 PM

Since you do not appear to want to run DHCP, I can only assume IP are hard-coded locally (by the user?). You said, "I need to configure a port security" => what level of port security is required and why?  What is the security supposed to provide to solve what requirement?  Is it just single MAC/IP binding to a specific interface? 

 

I assume you are running just L2 on the EX2200.  I think you could do MAC binding on a port-by-port basic with Firewall Filters.  If only L2, I doubt the EX2200 can do anything with IP or with where traffic flows traverse.

 

If you are running L3, then via FF you should be able to add port-by-port interface binding to IP.  Then via routing or VRFs you could control who gets to go where.

 

I doubt any of the above you'd actually want to do.  My suggestion would be tell us what 'situation' you are trying to solve, and what your whole network looks like, and then someone might be able to suggest a much better solution.

Ethernet Switching

Re: Port Security IP address MAC binding

[ Edited ]
‎05-27-2019 12:10 AM

Hi !

You can run DHCP snooping, arp-inspection and ip-source-guard for that

But those features are enabled per vlan, so those special hosts need to be in a separate vlan and you need to fill the dhcp-snooping database statically via configuration.

Additionally on those ports you enable port security with a mac-address count of 1 and enter a fixed mac-address or do sticky mac address.

It is cumbersome but possible to do.

regards

Alexander